|
综合安全报告 文档映射 4 介绍 5 目标 5 管理摘要报告 6 问题的数量(全部 19 ) 6 问题的数量(按照“测试类型”) 7 有漏洞的 URL 和无漏洞的 URL 比较 10 修复任务数量 11 详细摘要 12 问题类型 12 修复任务 13 有漏洞的 URL 14 漏洞详细信息 15 严重性为高的“问题类型” 15 严重性为中的“问题类型” 16 严重性为低的“问题类型” 17 严重性为参考信息的“问题类型” 18 测试策略 20 详细的修复任务 21 高优先级修复任务 21 中优先级修复任务 23 低优先级修复任务 25 应用程序数据 27 参数 27 失败请求 27 JavaScript 28 注释 28 cookie 28 应用程序 URL 28 该报告包含以下部分: § 介绍和目标 § 管理摘要报告 §该部分旨在提供对应用程序安全状态的一般了解。 § § 详细摘要 § § 漏洞详细信息 §该部分用于认识不同问题的性质和影响,并指导修复。 § § 应用程序信息 §该部分用于了解扫描的覆盖范围,因为只测试了在应用程序数据中详细描述的区域。 § 该报告会保留由 [公司名称] 安全小组在 [赋值名] 应用程序上执行的 Web 应用程序安全扫描的结果。 扫描显示了该应用程序中 0 严重性为高的安全问题、0 严重性为中的安全问题和 19 严重性为低的安全问题。 该“管理综合报告”和“详细摘要”已整合查找结果。其他信息包含在该报告的“漏洞详细信息”部分。 [公司名称] 安全小组在 Web 应用程序上执行实时安全评估。这些评估旨在显示已扫描的 Web 应用程序中的任何安全性问题,解释与找到的问题相关联的影响和风险,和提供优先级划分和修复步骤的准则, 该赋值的目标是执行控制的攻击和穿透活动,以评估 [赋值名] Web 应用程序的整体安全级别。 应用程序的访问凭证和/或应用程序概述已提供/未提供给 [公司名称] 安全小组。 该报告包含从已授权/未授权攻击者的角度,对 [赋值名] 应用程序所进行的测试。 问题的数量(全部 19 )
问题的数量(按照“测试类型”)
有漏洞的 URL 和无漏洞的 URL 比较
修复任务数量
高严重性问题
中等级别的安全性问题
低级别严重性问题
参考信息严重性问题
修复任务
有漏洞的 URL
严重性为高的“问题类型”严重性为中的“问题类型”严重性为低的“问题类型”
咨询和修订建议来自其他域的脚本和链接标标签标记不支持完整性检查。 如果包含脚本的服务出现弱点,则这一点可能被利用。、 不支持 SRI 的样本脚本元素: <script src="https:///example-framework.js" crossorigin="anonymous"></script> 支持 SRI 的样本脚本元素: <script src="https:///example-framework.js" integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7" crossorigin="anonymous"></script> user-agent 无法通过第三方服务来验证脚本。 如果是第三方服务出现弱点,那么用户无法受到保护。 SRI 支持 SRI (Subresource Integrity) 的检查 不支持子资源完整性。 该问题可能会影响各种类型的产品。 受影响的 URL§ http://10.1.20.137:8085/tologin § http://10.1.20.137:8085/tomain 问题 1/2( http://10.1.20.137:8085/tomain - tomain )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 x-ua-compatible: IE=edge Transfer-Encoding: chunked cache-control: no-transform Content-Language: en-US Date: Fri, 11 Oct 2019 01:27:19 GMT Content-Type: text/html;charset=UTF-8 <!DOCTYPE html> <html lang="zh-CN"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta http-equiv="Cache-Control" content="no-transform"> <title>index</title> <link rel="shortcut icon" href="/Public/img/favicon.ico"/> <link href="/css/bootstrap.css" rel="stylesheet"> <link href="/css/main.css" rel="stylesheet" type="text/css" /> <link href="/css/index.css" rel="stylesheet" type="text/css" /> <link href="/css/detail.css" rel="stylesheet" type="text/css" /> <link href="/css/user.css" rel="stylesheet" type="text/css" /> <link href="/css/announcement.css" rel="stylesheet" type="text/css" /> <link href="/css/bootstrap-datetimepicker.min.css" rel="stylesheet" type="text/css" /> <link rel="stylesheet" href="/css/index1.css" /> <script src="/js/html5shiv.min.js"></script> <script src="/js/respond.min.js"></script> <script src="/js/jquery.min.js"></script> <script> var rootUrl = ''; </script> <script type="text/javascript" src="/js/jquery-2.1.4/jquery.js"></script> <script type="text/javascript"> $(function(){ $("#but1").click(function(){//点击 confirm("暂未登录,是否登录?"); }); $("#but2").click(function(){//点击 confirm("暂未开户,是否进行开户?"); }); }) </script> </head> <body> <div class="home"> <header class="header"> <nav class="navbar navbar-default navbar-fixed-top"> <div class="container"> <div class="row"> <div class="hidden-xs hidden-sm col-md-3 col-lg-3"> <div class="navbar-header navbar-left"> <a class="navbar-brand-mc" href="/"> <img src="picture/milogo.png" alt="logo"/> </a> <a class="company-name">钱多多金融</a> </div> </div> <div class="hidden-xs col-sm-5 col-md-4 col-lg-4"> <div id="navbar" class="navbar-collapse collapse"> <ul class="nav navbar-nav pull-right head-list"> <li id="nav-index"></li> <!-- 通过后台跳转页面 --> <li></li> <li></li> </ul> </div> </div> <div class="hidden-xs col-sm-7 col-md-5 col-lg-5"> <div id="navbar" class="navbar-collapse collapse"> <ul class="nav navbar-nav pull-right head-list"> <li><a></a></li> <li id="nav-index"><a href="/tologin">登录/注册</a></li> <li id="nav-index"></li> </ul> </div> </div> </div> </div> </nav> </header> <div class="content"> <div class="wrapper"> </div> <div class="home-page container"> <div class="row"> <div class="col-xs-12 col-sm-12 col-md-12 col-lg-12"> <!--BEGIN NEW COURSES--> <div class="section section-carousel"> <h4>产品推荐</h4> <div id="carousel-example-generic" class="carousel slide" data-ride="carousel"> <!-- Indicators --> <ol class="carousel-indicators"> <li data-target="#carousel-example-generic" data-slide-to="0" class="active"></li> <li data-target="#carousel-example-generic" data-slide-to="1"></li> <!--<li data-target="#carousel-example-generic" data-slide-to="2"></li>--> </ol> <!-- Wrapper for slides --> <div class="carousel-inner" role="listbox"> <div class="item active"> <div class="row"> <div class="col-xs-12 col-sm-6 col-md-4 col-lg-4"> <div class="jumbotron goods-detail"> <span style="padding-left: 38px;">[新手标]凤储计划-</span> <span style="padding-left: 53px;">20180829011</span> ...
问题 2/2( http://10.1.20.137:8085/tologin - tologin )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 x-ua-compatible: IE=edge Transfer-Encoding: chunked cache-control: no-transform Content-Language: en-US Date: Fri, 11 Oct 2019 01:27:04 GMT Content-Type: text/html;charset=UTF-8 <!DOCTYPE html> <html lang="zh-CN"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta http-equiv="Cache-Control" content="no-transform"> <title>login</title> <link rel="shortcut icon" href="/Public/img/favicon.ico"/> <link href="/css/bootstrap.css" rel="stylesheet"> <link href="/css/main.css" rel="stylesheet" type="text/css" /> <link href="/css/index.css" rel="stylesheet" type="text/css" /> <link href="/css/detail.css" rel="stylesheet" type="text/css" /> <link href="/css/user.css" rel="stylesheet" type="text/css" /> <link href="/css/announcement.css" rel="stylesheet" type="text/css" /> <link href="/css/bootstrap-datetimepicker.min.css" rel="stylesheet" type="text/css" /> <link rel="stylesheet" href="/css/login.css" /> <script src="/js/html5shiv.min.js"></script> <script src="/js/respond.min.js"></script> <script src="/js/jquery.min.js"></script> <script> var rootUrl = ''; </script> <script type="text/javascript"> $(function(){ $("#but").click(function(){ $.ajax({ url:"/checkLogin", type:"post", dataType:"json", data:{ "admin":$("#username").val(), "password":$("#login-password").val(), }, success:function(data){ if(data.mess){ location.href="/tomain"; } else{ $("#f1").html("用户名或密码输入错误"); } }, error:function(data){ alert("请填写正确信息!!!"); } }); }); /* 注册 */ /* 先验证用户名是否存在*/ var flag; $("#regadmin").blur(function(){ $.ajax({ url:"/checkRegister", type:"post", dataType:"json", data:{ "admin":$("#regadmin").val(), }, success:function(data){ if(data.mess){ flag=data.mess; $("#f2").html("用户名已存在,请重新输入"); } }, error:function(data){ alert("请填写正确信息!!!"); } }) /* 获取焦点的时候 */ $("#regadmin").focus(function(){ $("#f2").html(""); }) /* 点击获取验证码的时候 */ var hash; var tamp; var wait=60; $("#verify_refresh").click(function(){ $.ajax({ dataType:"json", type:"post", url:"/sendMsg", data:{"telephone":$("#telephone").val()}, xhrFields: { withCredentials: true }, success: function (data) { hash = data.hash; tamp = data.tamp; }, error: function (data) { alert("请填写正确信息!!!"); } }); }) /* 设置时间 */ function setButtonStatus(that) { if (wait == 0) { that.removeAttribute("disabled"); that.value="免费获取验证码"; wait = 60; } else { that.setAttribute("disabled", true); that.value=wait+"秒后可以重新发送"; wait--; setTimeout(function() { setButtonStatus(that) }, 1000) } } /* 点击注册 */ $("#butregster").click(function(){ $.ajax({ dataType:"json", type:"post", url:"/validate", data:{ "msgNum":$("#register-password").val(),/* 验证码 */ "hash":hash, "tamp":tamp, "telphone":$("#telephone").val(), "admin":$("#regadmin").val(),/* 用户名 */ "password":$("#registerPassword").val()/* 密码 */ }, success: function (data) { if(data.flag){ location.href="/tologin"; }else{ alert("验证码错误或超时"); } }, error: function (data) { alert("请填写正确信息!!!"); } }); }) }) }) </script> </head> <body> <div class="home"> <header class="header"> <nav class="navbar navbar-default navbar-fixed-top"> <div class="container"> <div class="row"> <div class="hidden-xs hidden-sm col-md-3 col-lg-3"> <div class="navbar-header navbar-left"> <a class="navbar-brand-mc" href="/tomain"> <img src="/picture/milogo.png" alt="logo"/> <h4 class="company-name">钱多多金融</h4> </a> </div> </div> </div> </div> </nav> </header> <div class="content"> <div class="wrapper"> <div class="container"> <div class="row"> <div class="wrapper-intro col-xs-0 col-sm-6 col-md-8 col-lg-8"> <img src="/picture/milogo.png"/> <br/> ...
咨询和修订建议似乎 Web 服务器配置成允许下列其中一个(或多个)HTTP 方法(动词): - DELETE - SEARCH - COPY - MOVE - PROPFIND - PROPPATCH - MKCOL - LOCK - UNLOCK - PUT 这些方法可能表示在服务器上启用了 WebDAV,可能允许未授权的用户对其进行利用。 可能会在 Web 服务器上上载、修改或删除 Web 页面、脚本和文件 启用了不安全的“OPTIONS”HTTP 方法 启用了不安全的“OPTIONS”HTTP 方法 Web 服务器或应用程序服务器是以不安全的方式配置的 该问题可能会影响各种类型的产品 受影响的 URL§ http://10.1.20.137:8085/ 问题 1/1( http://10.1.20.137:8085/ - / )严重性: LowCVSS 计分: 5图像
所有变体 变体差异· 已将路径设置为“/” · 已将方法设置为“OPTIONS” 变体原因 变体验证· Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH 变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 404 Content-Length: 306 Content-Language: en-US Date: Fri, 11 Oct 2019 01:33:04 GMT Content-Type: text/html;charset=UTF-8 Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH <html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Fri Oct 11 09:33:05 CST 2019</div><div>There was an unexpected error (type=Not Found, status=404).</div><div>No message available</div></body></html>
咨询和修订建议“Content-Security-Policy”头设计用于修改浏览器渲染页面的方式,并因此排除各种跨站点注入,包括跨站点脚本编制。以不会阻止 web 站点的正确操作的方式正确地设置头值就非常的重要。例如,如果头设置为阻止内联 JavaScript 的执行,那么 web 站点不得在其页面中使用内联 JavaScript。 可能会收集有关 Web 应用程序的敏感信息,如用户名、密码、机器名和/或敏感文件位置 缺少“Content-Security-Policy”头 缺少“Content-Security-Policy”头 Web 应用程序编程或配置不安全 该问题可能会影响各种类型的产品 受影响的 URL§ http://10.1.20.137:8085/js/bootstrap.min.js § http://10.1.20.137:8085/js/footer.js § http://10.1.20.137:8085/js/header.js § http://10.1.20.137:8085/js/jquery.toaster.js § http://10.1.20.137:8085/js/respond.min.js 问题 1/5( http://10.1.20.137:8085/js/footer.js - footer.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 1163 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /** * Created by cpc on 12/27/15. */ function noticeInfo(content) { $.toaster({ title : content, priority : 'info', message : ')' }); } function noticeWarning(content) { $.toaster({ title : content, priority : 'warning', message : '(' }); } function sendEmail() { $.ajax({ type: 'post', url: rootUrl+'/feedback/sendEmail', success: function() {} }); } $(document).ready(function() { $('#send-feedback').click(function() { var content = $('#feedback-content').val().trim(); if (content == '') { noticeWarning('反馈不能为空'); return; } var data = { content: content }; $.ajax({ type: 'post', url: rootUrl+'/feedback', data: data, success: function(status) { if (status > 0) { sendEmail(); noticeInfo('反馈成功'); $('#modal-feedback').modal('hide'); } else if (status == 0) { $.toaster({ title : '还没登录喔~', priority : 'danger', message : '(' }); } else { $.toaster({ title : '出错啦,请稍候再试~', priority : 'danger', message : '(' }); } } }); }); });
问题 2/5( http://10.1.20.137:8085/js/respond.min.js - respond.min.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 4377 Date: Fri, 11 Oct 2019 01:27:08 GMT Content-Type: application/javascript /*! Respond.js v1.4.2: min/max-width media query polyfill * Copyright 2013 Scott Jehl * Licensed under https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT * */ !function(a){"use strict";a.matchMedia=a.matchMedia||function(a){var b,c=a.documentElement,d=c.firstElementChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div");return f.id="mq-test-1",f.style.cssText="position:absolute;top:-100em",e.style.background="none",e.appendChild(f),function(a){return f.innerHTML='­<style media="'+a+'"> #mq-test-1 { width: 42px; }</style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(e),{matches:b,media:a}}}(a.document)}(this),function(a){"use strict";function b(){u(!0)}var c={};a.respond=c,c.update=function(){};var d=[],e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}return function(){return b}}(),f=function(a,b){var c=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={media:/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/gi,keyframes:/@(?:\-(?:o|moz|webkit)\-)?keyframes[^\{]+\{(?:[^\{\}]*\{[^\}\{]*\})+[^\}]*\}/gi,urls:/(url\()['"]?([^\/\)'"][^:\)'"]+)['"]?(\))/g,findStyles:/@media *([^\{]+)\{([\S\s]+?)$/,only:/(only\s+)?([a-zA-Z]+)\s?/,minw:/\([\s]*min\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/,maxw:/\([\s]*max\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/},c.mediaQueriesSupported=a.matchMedia&&null!==a.matchMedia("only all")&&a.matchMedia("only all").matches,!c.mediaQueriesSupported){var g,h,i,j=a.document,k=j.documentElement,l=[],m=[],n=[],o={},p=30,q=j.getElementsByTagName("head")[0]||k,r=j.getElementsByTagName("base")[0],s=q.getElementsByTagName("link"),t=function(){var a,b=j.createElement("div"),c=j.body,d=k.style.fontSize,e=c&&c.style.fontSize,f=!1;return b.style.cssText="position:absolute;font-size:1em;width:1em",c||(c=f=j.createElement("body"),c.style.background="none"),k.style.fontSize="100%",c.style.fontSize="100%",c.appendChild(b),f&&k.insertBefore(c,k.firstChild),a=b.offsetWidth,f?k.removeChild(c):c.removeChild(b),k.style.fontSize=d,e&&(c.style.fontSize=e),a=i=parseFloat(a)},u=function(b){var c="clientWidth",d=k[c],e="CSS1Compat"===j.compatMode&&d||j.body[c]||d,f={},o=s[s.length-1],r=(new Date).getTime();if(b&&g&&p>r-g)return a.clearTimeout(h),h=a.setTimeout(u,p),void 0;g=r;for(var v in l)if(l.hasOwnProperty(v)){var w=l[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?i||t():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?i||t():1)),w.hasquery&&(z&&A||!(z||e>=x)||!(A||y>=e))||(f[w.media]||(f[w.media]=[]),f[w.media].push(m[w.rules]))}for(var C in n)n.hasOwnProperty(C)&&n[C]&&n[C].parentNode===q&&q.removeChild(n[C]);n.length=0;for(var D in f)if(f.hasOwnProperty(D)){var E=j.createElement("style"),F=f[D].join("\n");E.type="text/css",E.media=D,q.insertBefore(E,o.nextSibling),E.styleSheet?E.styleSheet.cssText=F:E.appendChild(j.createTextNode(F)),n.push(E)}},v=function(a,b,d){var e=a.replace(c.regex.keyframes,"").match(c.regex.media),f=e&&e.length||0;b=b.substring(0,b.lastIndexOf("/"));var g=function(a){return a.replace(c.regex.urls,"$1"+b+"$2$3")},h=!f&&d;b.length&&(b+="/"),h&&(f=1);for(var i=0;f>i;i++){var j,k,n,o;h?(j=d,m.push(g(a))):(j=e[i].match(c.regex.findStyles)&&RegExp.$1,m.push(RegExp.$2&&g(RegExp.$2))),n=j.split(","),o=n.length;for(var p=0;o>p;p++)k=n[p],l.push({media:k.split("(")[0].match(c.regex.only)&&RegExp.$2||"all",rules:m.length-1,hasquery:k.indexOf("(")>-1,minw:k.match(c.regex.minw)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:k.match(c.regex.maxw)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}u()},w=function(){if(d.length){var b=d.shift();f(b.href,function(c){v(c,b.href,b.media),o[b.href]=!0,a.setTimeout(function(){w()},0)})}},x=function(){for(var b=0;b<s.length;b++){var c=s[b],e=c.href,f=c.media,g=c.rel&&"stylesheet"===c.rel.toLowerCase();e&&g&&!o[e]&&(c.styleSheet&&c.styleSheet.rawCssText?(v(c.styleSheet.rawCssText,e,f),o[e]=!0):(!/^([a-zA-Z:]*\/\/)/.test(e)&&!r||e.replace(RegExp.$1,"").split("/")[0]===a.location.host)&&("//"===e.substring(0,2)&&(e=a.location.protocol+e),d.push({href:e,media:f})))}w()};x(),c.update=x,c.getEmValue=t,a.addEventListener?a.addEventListener("resize",b,!1):a.attachEvent&&a.attachEvent("onresize",b)}}(this);
问题 3/5( http://10.1.20.137:8085/js/header.js - header.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 1023 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /** * Created by soujing on 12/27/15. */ $(document).ready(function() { $.get( rootUrl + "/Index/checkLogin", {}, function(data){ if(data){ loginNav(); } else{ $(".logout").parent().remove(); } } ) }) function loginNav(){ $.get( rootUrl + "/User/getLoginInit", {}, function(data){ var mesNum = data['mes_num']; var userName = data['name']; var userIcon = data['icon']; var isRead = data['read']; if(mesNum != 0){ var mesSpan = ' <span class="badge"> '+ mesNum + '</span>'; $("#nav-messages").append(mesSpan); } if(!isRead){ var redPoint = '<div class="red-point"></div>'; $("#nav-notice").children("a").append(redPoint); $("#xs-nav-notice").children("a").append(redPoint); } } ) }
问题 4/5( http://10.1.20.137:8085/js/bootstrap.min.js -bootstrap.min.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 36816 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /*! * Bootstrap v3.3.5 (http://) * Copyright 2011-2015 Twitter, Inc. * Licensed under the MIT license */ if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(a){"use strict";var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher")}(jQuery),+function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=function(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){return a(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=new d(this)),"string"==typeof b&&e[b].call(c)})}var c='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.5",d.TRANSITION_DURATION=150,d.prototype.close=function(b){function c(){g.detach().trigger("closed.bs.alert").remove()}var e=a(this),f=e.attr("data-target");f||(f=e.attr("href"),f=f&&f.replace(/.*(?=#[^\s]*$)/,""));var g=a(f);b&&b.preventDefault(),g.length||(g=e.closest(".alert")),g.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(g.removeClass("in"),a.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",c).emulateTransitionEnd(d.TRANSITION_DURATION):c())};var e=a.fn.alert;a.fn.alert=b,a.fn.alert.Constructor=d,a.fn.alert.noConflict=function(){return a.fn.alert=e,this},a(document).on("click.bs.alert.data-api",c,d.prototype.close)}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.button"),f="object"==typeof b&&b;e||d.data("bs.button",e=new c(this,f)),"toggle"==b?e.toggle():b&&e.setState(b)})}var c=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.isLoading=!1};c.VERSION="3.3.5",c.DEFAULTS={loadingText:"loading..."},c.prototype.setState=function(b){var c="disabled",d=this.$element,e=d.is("input")?"val":"html",f=d.data();b+="Text",null==f.resetText&&d.data("resetText",d[e]()),setTimeout(a.proxy(function(){d[e](null==f[b]?this.options[b]:f[b]),"loadingText"==b?(this.isLoading=!0,d.addClass(c).attr(c,c)):this.isLoading&&(this.isLoading=!1,d.removeClass(c).removeAttr(c))},this),0)},c.prototype.toggle=function(){var a=!0,b=this.$element.closest('[data-toggle="buttons"]');if(b.length){var c=this.$element.find("input");"radio"==c.prop("type")?(c.prop("checked")&&(a=!1),b.find(".active").removeClass("active"),this.$element.addClass("active")):"checkbox"==c.prop("type")&&(c.prop("checked")!==this.$element.hasClass("active")&&(a=!1),this.$element.toggleClass("active")),c.prop("checked",this.$element.hasClass("active")),a&&c.trigger("change")}else this.$element.attr("aria-pressed",!this.$element.hasClass("active")),this.$element.toggleClass("active")};var d=a.fn.button;a.fn.button=b,a.fn.button.Constructor=c,a.fn.button.noConflict=function(){return a.fn.button=d,this},a(document).on("click.bs.button.data-api",'[data-toggle^="button"]',function(c){var d=a(c.target);d.hasClass("btn")||(d=d.closest(".btn")),b.call(d,"toggle"),a(c.target).is('input[type="radio"]')||a(c.target).is('input[type="checkbox"]')||c.preventDefault()}).on("focus.bs.button.data-api blur.bs.button.data-api",'[data-toggle^="button"]',function(b){a(b.target).closest(".btn").toggleClass("focus",/^focus(in)?$/.test(b.type))})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.carousel"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeof b&&b),g="string"==typeof b?b:f.slide;e||d.data("bs.carousel",e=new c(this,f)),"number"==typeof b?e.to(b):g?e[g]():f.interval&&e.pause().cycle()})}var c=function(b,c){this.$element=a(b),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=null,this.sliding=null,this.interval=null,this.$active=null,this.$items=null,this.options.keyboard&&this.$element.on("keydown.bs.caro...
问题 5/5( http://10.1.20.137:8085/js/jquery.toaster.js -jquery.toaster.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 5450 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /*********************************************************************************** * Add Array.indexOf * ***********************************************************************************/ (function () { if (typeof Array.prototype.indexOf !== 'function') { Array.prototype.indexOf = function(searchElement, fromIndex) { for (var i = (fromIndex || 0), j = this.length; i < j; i += 1) { if ((searchElement === undefined) || (searchElement === null)) { if (this[i] === searchElement) { return i; } } else if (this[i] === searchElement) { return i; } } return -1; }; } })(); /**********************************************************************************/ (function ($,undefined) { var toasting = { gettoaster : function () { var toaster = $('#' + settings.toaster.id); if(toaster.length < 1) { toaster = $(settings.toaster.template).attr('id', settings.toaster.id).css(settings.toaster.css).addClass(settings.toaster['class']); if ((settings.stylesheet) && (!$("link[href=" + settings.stylesheet + "]").length)) { $('head').appendTo('<link rel="stylesheet" href="' + settings.stylesheet + '">'); } $(settings.toaster.container).append(toaster); } return toaster; }, notify : function (title, message, priority) { var $toaster = this.gettoaster(); var $toast = $(settings.toast.template.replace('%priority%', priority)).hide().css(settings.toast.css).addClass(settings.toast['class']); $('.title', $toast).css(settings.toast.csst).html(title); $('.message', $toast).css(settings.toast.cssm).html(message); if ((settings.debug) && (window.console)) { console.log(toast); } $toaster.append(settings.toast.display($toast)); if (settings.donotdismiss.indexOf(priority) === -1) { var timeout = (typeof settings.timeout === 'number') ? settings.timeout : ((typeof settings.timeout === 'object') && (priority in settings.timeout)) ? settings.timeout[priority] : 1500; setTimeout(function() { settings.toast.remove($toast, function() { $toast.remove(); }); }, timeout); } } }; var defaults = { 'toaster' : { 'id' : 'toaster', 'container' : 'body', 'template' : '<div></div>', 'class' : 'toaster', 'css' : { 'position' : 'fixed', 'top' : '10px', 'right' : '10px', 'width' : '300px', 'zIndex' : 50000 } }, 'toast' : { 'template' : '<div class="alert alert-%priority% alert-dismissible" role="alert">' + '<button type="button" class="close" data-dismiss="alert">' + '<span aria-hidden="true">×</span>' + '<span class="sr-only">Close</span>' + '</button>' + '<span class="title"></span>: <span class="message"></span>' + '</div>', 'css' : {}, 'cssm' : {}, 'csst' : { 'fontWeight' : 'bold' }, 'fade' : 'slow', 'display' : function ($toast) { return $toast.fadeIn(settings.toast.fade); }, 'remove' : function ($toast, callback) { return $toast.animate( { opacity : '0', padding : '0px', margin : '0px', height : '0px' }, { duration : settings.toast.fade, complete : callback } ); } ...
咨询和修订建议“X-Content-Type-Options”头(具有“nosniff”值)可防止IE 和 Chrome 忽略响应的内容类型。该操作可能防止在用户浏览器中执行不受信任的内容(例如用户上载的内容)(例如在恶意命名之后)。 可能会收集有关 Web 应用程序的敏感信息,如用户名、密码、机器名和/或敏感文件位置 缺少“X-Content-Type-Options”头 缺少“X-Content-Type-Options”头 Web 应用程序编程或配置不安全 该问题可能会影响各种类型的产品 受影响的 URL§ http://10.1.20.137:8085/js/bootstrap.min.js § http://10.1.20.137:8085/js/footer.js § http://10.1.20.137:8085/js/header.js § http://10.1.20.137:8085/js/jquery.toaster.js § http://10.1.20.137:8085/js/respond.min.js 问题 1/5( http://10.1.20.137:8085/js/footer.js - footer.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 1163 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /** * Created by cpc on 12/27/15. */ function noticeInfo(content) { $.toaster({ title : content, priority : 'info', message : ')' }); } function noticeWarning(content) { $.toaster({ title : content, priority : 'warning', message : '(' }); } function sendEmail() { $.ajax({ type: 'post', url: rootUrl+'/feedback/sendEmail', success: function() {} }); } $(document).ready(function() { $('#send-feedback').click(function() { var content = $('#feedback-content').val().trim(); if (content == '') { noticeWarning('反馈不能为空'); return; } var data = { content: content }; $.ajax({ type: 'post', url: rootUrl+'/feedback', data: data, success: function(status) { if (status > 0) { sendEmail(); noticeInfo('反馈成功'); $('#modal-feedback').modal('hide'); } else if (status == 0) { $.toaster({ title : '还没登录喔~', priority : 'danger', message : '(' }); } else { $.toaster({ title : '出错啦,请稍候再试~', priority : 'danger', message : '(' }); } } }); }); });
问题 2/5( http://10.1.20.137:8085/js/respond.min.js - respond.min.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 4377 Date: Fri, 11 Oct 2019 01:27:08 GMT Content-Type: application/javascript /*! Respond.js v1.4.2: min/max-width media query polyfill * Copyright 2013 Scott Jehl * Licensed under https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT * */ !function(a){"use strict";a.matchMedia=a.matchMedia||function(a){var b,c=a.documentElement,d=c.firstElementChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div");return f.id="mq-test-1",f.style.cssText="position:absolute;top:-100em",e.style.background="none",e.appendChild(f),function(a){return f.innerHTML='­<style media="'+a+'"> #mq-test-1 { width: 42px; }</style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(e),{matches:b,media:a}}}(a.document)}(this),function(a){"use strict";function b(){u(!0)}var c={};a.respond=c,c.update=function(){};var d=[],e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}return function(){return b}}(),f=function(a,b){var c=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={media:/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/gi,keyframes:/@(?:\-(?:o|moz|webkit)\-)?keyframes[^\{]+\{(?:[^\{\}]*\{[^\}\{]*\})+[^\}]*\}/gi,urls:/(url\()['"]?([^\/\)'"][^:\)'"]+)['"]?(\))/g,findStyles:/@media *([^\{]+)\{([\S\s]+?)$/,only:/(only\s+)?([a-zA-Z]+)\s?/,minw:/\([\s]*min\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/,maxw:/\([\s]*max\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/},c.mediaQueriesSupported=a.matchMedia&&null!==a.matchMedia("only all")&&a.matchMedia("only all").matches,!c.mediaQueriesSupported){var g,h,i,j=a.document,k=j.documentElement,l=[],m=[],n=[],o={},p=30,q=j.getElementsByTagName("head")[0]||k,r=j.getElementsByTagName("base")[0],s=q.getElementsByTagName("link"),t=function(){var a,b=j.createElement("div"),c=j.body,d=k.style.fontSize,e=c&&c.style.fontSize,f=!1;return b.style.cssText="position:absolute;font-size:1em;width:1em",c||(c=f=j.createElement("body"),c.style.background="none"),k.style.fontSize="100%",c.style.fontSize="100%",c.appendChild(b),f&&k.insertBefore(c,k.firstChild),a=b.offsetWidth,f?k.removeChild(c):c.removeChild(b),k.style.fontSize=d,e&&(c.style.fontSize=e),a=i=parseFloat(a)},u=function(b){var c="clientWidth",d=k[c],e="CSS1Compat"===j.compatMode&&d||j.body[c]||d,f={},o=s[s.length-1],r=(new Date).getTime();if(b&&g&&p>r-g)return a.clearTimeout(h),h=a.setTimeout(u,p),void 0;g=r;for(var v in l)if(l.hasOwnProperty(v)){var w=l[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?i||t():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?i||t():1)),w.hasquery&&(z&&A||!(z||e>=x)||!(A||y>=e))||(f[w.media]||(f[w.media]=[]),f[w.media].push(m[w.rules]))}for(var C in n)n.hasOwnProperty(C)&&n[C]&&n[C].parentNode===q&&q.removeChild(n[C]);n.length=0;for(var D in f)if(f.hasOwnProperty(D)){var E=j.createElement("style"),F=f[D].join("\n");E.type="text/css",E.media=D,q.insertBefore(E,o.nextSibling),E.styleSheet?E.styleSheet.cssText=F:E.appendChild(j.createTextNode(F)),n.push(E)}},v=function(a,b,d){var e=a.replace(c.regex.keyframes,"").match(c.regex.media),f=e&&e.length||0;b=b.substring(0,b.lastIndexOf("/"));var g=function(a){return a.replace(c.regex.urls,"$1"+b+"$2$3")},h=!f&&d;b.length&&(b+="/"),h&&(f=1);for(var i=0;f>i;i++){var j,k,n,o;h?(j=d,m.push(g(a))):(j=e[i].match(c.regex.findStyles)&&RegExp.$1,m.push(RegExp.$2&&g(RegExp.$2))),n=j.split(","),o=n.length;for(var p=0;o>p;p++)k=n[p],l.push({media:k.split("(")[0].match(c.regex.only)&&RegExp.$2||"all",rules:m.length-1,hasquery:k.indexOf("(")>-1,minw:k.match(c.regex.minw)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:k.match(c.regex.maxw)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}u()},w=function(){if(d.length){var b=d.shift();f(b.href,function(c){v(c,b.href,b.media),o[b.href]=!0,a.setTimeout(function(){w()},0)})}},x=function(){for(var b=0;b<s.length;b++){var c=s[b],e=c.href,f=c.media,g=c.rel&&"stylesheet"===c.rel.toLowerCase();e&&g&&!o[e]&&(c.styleSheet&&c.styleSheet.rawCssText?(v(c.styleSheet.rawCssText,e,f),o[e]=!0):(!/^([a-zA-Z:]*\/\/)/.test(e)&&!r||e.replace(RegExp.$1,"").split("/")[0]===a.location.host)&&("//"===e.substring(0,2)&&(e=a.location.protocol+e),d.push({href:e,media:f})))}w()};x(),c.update=x,c.getEmValue=t,a.addEventListener?a.addEventListener("resize",b,!1):a.attachEvent&&a.attachEvent("onresize",b)}}(this);
问题 3/5( http://10.1.20.137:8085/js/header.js - header.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 1023 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /** * Created by soujing on 12/27/15. */ $(document).ready(function() { $.get( rootUrl + "/Index/checkLogin", {}, function(data){ if(data){ loginNav(); } else{ $(".logout").parent().remove(); } } ) }) function loginNav(){ $.get( rootUrl + "/User/getLoginInit", {}, function(data){ var mesNum = data['mes_num']; var userName = data['name']; var userIcon = data['icon']; var isRead = data['read']; if(mesNum != 0){ var mesSpan = ' <span class="badge"> '+ mesNum + '</span>'; $("#nav-messages").append(mesSpan); } if(!isRead){ var redPoint = '<div class="red-point"></div>'; $("#nav-notice").children("a").append(redPoint); $("#xs-nav-notice").children("a").append(redPoint); } } ) }
问题 4/5( http://10.1.20.137:8085/js/jquery.toaster.js -jquery.toaster.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 5450 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /*********************************************************************************** * Add Array.indexOf * ***********************************************************************************/ (function () { if (typeof Array.prototype.indexOf !== 'function') { Array.prototype.indexOf = function(searchElement, fromIndex) { for (var i = (fromIndex || 0), j = this.length; i < j; i += 1) { if ((searchElement === undefined) || (searchElement === null)) { if (this[i] === searchElement) { return i; } } else if (this[i] === searchElement) { return i; } } return -1; }; } })(); /**********************************************************************************/ (function ($,undefined) { var toasting = { gettoaster : function () { var toaster = $('#' + settings.toaster.id); if(toaster.length < 1) { toaster = $(settings.toaster.template).attr('id', settings.toaster.id).css(settings.toaster.css).addClass(settings.toaster['class']); if ((settings.stylesheet) && (!$("link[href=" + settings.stylesheet + "]").length)) { $('head').appendTo('<link rel="stylesheet" href="' + settings.stylesheet + '">'); } $(settings.toaster.container).append(toaster); } return toaster; }, notify : function (title, message, priority) { var $toaster = this.gettoaster(); var $toast = $(settings.toast.template.replace('%priority%', priority)).hide().css(settings.toast.css).addClass(settings.toast['class']); $('.title', $toast).css(settings.toast.csst).html(title); $('.message', $toast).css(settings.toast.cssm).html(message); if ((settings.debug) && (window.console)) { console.log(toast); } $toaster.append(settings.toast.display($toast)); if (settings.donotdismiss.indexOf(priority) === -1) { var timeout = (typeof settings.timeout === 'number') ? settings.timeout : ((typeof settings.timeout === 'object') && (priority in settings.timeout)) ? settings.timeout[priority] : 1500; setTimeout(function() { settings.toast.remove($toast, function() { $toast.remove(); }); }, timeout); } } }; var defaults = { 'toaster' : { 'id' : 'toaster', 'container' : 'body', 'template' : '<div></div>', 'class' : 'toaster', 'css' : { 'position' : 'fixed', 'top' : '10px', 'right' : '10px', 'width' : '300px', 'zIndex' : 50000 } }, 'toast' : { 'template' : '<div class="alert alert-%priority% alert-dismissible" role="alert">' + '<button type="button" class="close" data-dismiss="alert">' + '<span aria-hidden="true">×</span>' + '<span class="sr-only">Close</span>' + '</button>' + '<span class="title"></span>: <span class="message"></span>' + '</div>', 'css' : {}, 'cssm' : {}, 'csst' : { 'fontWeight' : 'bold' }, 'fade' : 'slow', 'display' : function ($toast) { return $toast.fadeIn(settings.toast.fade); }, 'remove' : function ($toast, callback) { return $toast.animate( { opacity : '0', padding : '0px', margin : '0px', height : '0px' }, { duration : settings.toast.fade, complete : callback } ); } ...
问题 5/5( http://10.1.20.137:8085/js/bootstrap.min.js -bootstrap.min.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 36816 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /*! * Bootstrap v3.3.5 (http://) * Copyright 2011-2015 Twitter, Inc. * Licensed under the MIT license */ if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(a){"use strict";var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher")}(jQuery),+function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=function(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){return a(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=new d(this)),"string"==typeof b&&e[b].call(c)})}var c='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.5",d.TRANSITION_DURATION=150,d.prototype.close=function(b){function c(){g.detach().trigger("closed.bs.alert").remove()}var e=a(this),f=e.attr("data-target");f||(f=e.attr("href"),f=f&&f.replace(/.*(?=#[^\s]*$)/,""));var g=a(f);b&&b.preventDefault(),g.length||(g=e.closest(".alert")),g.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(g.removeClass("in"),a.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",c).emulateTransitionEnd(d.TRANSITION_DURATION):c())};var e=a.fn.alert;a.fn.alert=b,a.fn.alert.Constructor=d,a.fn.alert.noConflict=function(){return a.fn.alert=e,this},a(document).on("click.bs.alert.data-api",c,d.prototype.close)}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.button"),f="object"==typeof b&&b;e||d.data("bs.button",e=new c(this,f)),"toggle"==b?e.toggle():b&&e.setState(b)})}var c=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.isLoading=!1};c.VERSION="3.3.5",c.DEFAULTS={loadingText:"loading..."},c.prototype.setState=function(b){var c="disabled",d=this.$element,e=d.is("input")?"val":"html",f=d.data();b+="Text",null==f.resetText&&d.data("resetText",d[e]()),setTimeout(a.proxy(function(){d[e](null==f[b]?this.options[b]:f[b]),"loadingText"==b?(this.isLoading=!0,d.addClass(c).attr(c,c)):this.isLoading&&(this.isLoading=!1,d.removeClass(c).removeAttr(c))},this),0)},c.prototype.toggle=function(){var a=!0,b=this.$element.closest('[data-toggle="buttons"]');if(b.length){var c=this.$element.find("input");"radio"==c.prop("type")?(c.prop("checked")&&(a=!1),b.find(".active").removeClass("active"),this.$element.addClass("active")):"checkbox"==c.prop("type")&&(c.prop("checked")!==this.$element.hasClass("active")&&(a=!1),this.$element.toggleClass("active")),c.prop("checked",this.$element.hasClass("active")),a&&c.trigger("change")}else this.$element.attr("aria-pressed",!this.$element.hasClass("active")),this.$element.toggleClass("active")};var d=a.fn.button;a.fn.button=b,a.fn.button.Constructor=c,a.fn.button.noConflict=function(){return a.fn.button=d,this},a(document).on("click.bs.button.data-api",'[data-toggle^="button"]',function(c){var d=a(c.target);d.hasClass("btn")||(d=d.closest(".btn")),b.call(d,"toggle"),a(c.target).is('input[type="radio"]')||a(c.target).is('input[type="checkbox"]')||c.preventDefault()}).on("focus.bs.button.data-api blur.bs.button.data-api",'[data-toggle^="button"]',function(b){a(b.target).closest(".btn").toggleClass("focus",/^focus(in)?$/.test(b.type))})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.carousel"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeof b&&b),g="string"==typeof b?b:f.slide;e||d.data("bs.carousel",e=new c(this,f)),"number"==typeof b?e.to(b):g?e[g]():f.interval&&e.pause().cycle()})}var c=function(b,c){this.$element=a(b),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=null,this.sliding=null,this.interval=null,this.$active=null,this.$items=null,this.options.keyboard&&this.$element.on("keydown.bs.caro...
咨询和修订建议“X-XSS-Protection”头强制将跨站点脚本编制过滤器加入“启用”方式,即使用户已禁用时也是如此。该过滤器被构建到最新的 web 浏览器中(IE 8+,Chrome 4+),通常在缺省情况下已启用。虽然它并非设计为第一个选择而且仅能防御跨站点脚本编制,但它充当额外的保护层。 可能会收集有关 Web 应用程序的敏感信息,如用户名、密码、机器名和/或敏感文件位置 缺少“X-XSS-Protection”头 缺少“X-XSS-Protection”头 Web 应用程序编程或配置不安全 该问题可能会影响各种类型的产品 受影响的 URL§ http://10.1.20.137:8085/js/bootstrap.min.js § http://10.1.20.137:8085/js/footer.js § http://10.1.20.137:8085/js/header.js § http://10.1.20.137:8085/js/jquery.toaster.js § http://10.1.20.137:8085/js/respond.min.js 问题 1/5( http://10.1.20.137:8085/js/footer.js - footer.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 1163 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /** * Created by cpc on 12/27/15. */ function noticeInfo(content) { $.toaster({ title : content, priority : 'info', message : ')' }); } function noticeWarning(content) { $.toaster({ title : content, priority : 'warning', message : '(' }); } function sendEmail() { $.ajax({ type: 'post', url: rootUrl+'/feedback/sendEmail', success: function() {} }); } $(document).ready(function() { $('#send-feedback').click(function() { var content = $('#feedback-content').val().trim(); if (content == '') { noticeWarning('反馈不能为空'); return; } var data = { content: content }; $.ajax({ type: 'post', url: rootUrl+'/feedback', data: data, success: function(status) { if (status > 0) { sendEmail(); noticeInfo('反馈成功'); $('#modal-feedback').modal('hide'); } else if (status == 0) { $.toaster({ title : '还没登录喔~', priority : 'danger', message : '(' }); } else { $.toaster({ title : '出错啦,请稍候再试~', priority : 'danger', message : '(' }); } } }); }); });
问题 2/5( http://10.1.20.137:8085/js/header.js - header.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 1023 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /** * Created by soujing on 12/27/15. */ $(document).ready(function() { $.get( rootUrl + "/Index/checkLogin", {}, function(data){ if(data){ loginNav(); } else{ $(".logout").parent().remove(); } } ) }) function loginNav(){ $.get( rootUrl + "/User/getLoginInit", {}, function(data){ var mesNum = data['mes_num']; var userName = data['name']; var userIcon = data['icon']; var isRead = data['read']; if(mesNum != 0){ var mesSpan = ' <span class="badge"> '+ mesNum + '</span>'; $("#nav-messages").append(mesSpan); } if(!isRead){ var redPoint = '<div class="red-point"></div>'; $("#nav-notice").children("a").append(redPoint); $("#xs-nav-notice").children("a").append(redPoint); } } ) }
问题 3/5( http://10.1.20.137:8085/js/respond.min.js - respond.min.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 4377 Date: Fri, 11 Oct 2019 01:27:08 GMT Content-Type: application/javascript /*! Respond.js v1.4.2: min/max-width media query polyfill * Copyright 2013 Scott Jehl * Licensed under https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT * */ !function(a){"use strict";a.matchMedia=a.matchMedia||function(a){var b,c=a.documentElement,d=c.firstElementChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div");return f.id="mq-test-1",f.style.cssText="position:absolute;top:-100em",e.style.background="none",e.appendChild(f),function(a){return f.innerHTML='­<style media="'+a+'"> #mq-test-1 { width: 42px; }</style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(e),{matches:b,media:a}}}(a.document)}(this),function(a){"use strict";function b(){u(!0)}var c={};a.respond=c,c.update=function(){};var d=[],e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}return function(){return b}}(),f=function(a,b){var c=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={media:/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/gi,keyframes:/@(?:\-(?:o|moz|webkit)\-)?keyframes[^\{]+\{(?:[^\{\}]*\{[^\}\{]*\})+[^\}]*\}/gi,urls:/(url\()['"]?([^\/\)'"][^:\)'"]+)['"]?(\))/g,findStyles:/@media *([^\{]+)\{([\S\s]+?)$/,only:/(only\s+)?([a-zA-Z]+)\s?/,minw:/\([\s]*min\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/,maxw:/\([\s]*max\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/},c.mediaQueriesSupported=a.matchMedia&&null!==a.matchMedia("only all")&&a.matchMedia("only all").matches,!c.mediaQueriesSupported){var g,h,i,j=a.document,k=j.documentElement,l=[],m=[],n=[],o={},p=30,q=j.getElementsByTagName("head")[0]||k,r=j.getElementsByTagName("base")[0],s=q.getElementsByTagName("link"),t=function(){var a,b=j.createElement("div"),c=j.body,d=k.style.fontSize,e=c&&c.style.fontSize,f=!1;return b.style.cssText="position:absolute;font-size:1em;width:1em",c||(c=f=j.createElement("body"),c.style.background="none"),k.style.fontSize="100%",c.style.fontSize="100%",c.appendChild(b),f&&k.insertBefore(c,k.firstChild),a=b.offsetWidth,f?k.removeChild(c):c.removeChild(b),k.style.fontSize=d,e&&(c.style.fontSize=e),a=i=parseFloat(a)},u=function(b){var c="clientWidth",d=k[c],e="CSS1Compat"===j.compatMode&&d||j.body[c]||d,f={},o=s[s.length-1],r=(new Date).getTime();if(b&&g&&p>r-g)return a.clearTimeout(h),h=a.setTimeout(u,p),void 0;g=r;for(var v in l)if(l.hasOwnProperty(v)){var w=l[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?i||t():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?i||t():1)),w.hasquery&&(z&&A||!(z||e>=x)||!(A||y>=e))||(f[w.media]||(f[w.media]=[]),f[w.media].push(m[w.rules]))}for(var C in n)n.hasOwnProperty(C)&&n[C]&&n[C].parentNode===q&&q.removeChild(n[C]);n.length=0;for(var D in f)if(f.hasOwnProperty(D)){var E=j.createElement("style"),F=f[D].join("\n");E.type="text/css",E.media=D,q.insertBefore(E,o.nextSibling),E.styleSheet?E.styleSheet.cssText=F:E.appendChild(j.createTextNode(F)),n.push(E)}},v=function(a,b,d){var e=a.replace(c.regex.keyframes,"").match(c.regex.media),f=e&&e.length||0;b=b.substring(0,b.lastIndexOf("/"));var g=function(a){return a.replace(c.regex.urls,"$1"+b+"$2$3")},h=!f&&d;b.length&&(b+="/"),h&&(f=1);for(var i=0;f>i;i++){var j,k,n,o;h?(j=d,m.push(g(a))):(j=e[i].match(c.regex.findStyles)&&RegExp.$1,m.push(RegExp.$2&&g(RegExp.$2))),n=j.split(","),o=n.length;for(var p=0;o>p;p++)k=n[p],l.push({media:k.split("(")[0].match(c.regex.only)&&RegExp.$2||"all",rules:m.length-1,hasquery:k.indexOf("(")>-1,minw:k.match(c.regex.minw)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:k.match(c.regex.maxw)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}u()},w=function(){if(d.length){var b=d.shift();f(b.href,function(c){v(c,b.href,b.media),o[b.href]=!0,a.setTimeout(function(){w()},0)})}},x=function(){for(var b=0;b<s.length;b++){var c=s[b],e=c.href,f=c.media,g=c.rel&&"stylesheet"===c.rel.toLowerCase();e&&g&&!o[e]&&(c.styleSheet&&c.styleSheet.rawCssText?(v(c.styleSheet.rawCssText,e,f),o[e]=!0):(!/^([a-zA-Z:]*\/\/)/.test(e)&&!r||e.replace(RegExp.$1,"").split("/")[0]===a.location.host)&&("//"===e.substring(0,2)&&(e=a.location.protocol+e),d.push({href:e,media:f})))}w()};x(),c.update=x,c.getEmValue=t,a.addEventListener?a.addEventListener("resize",b,!1):a.attachEvent&&a.attachEvent("onresize",b)}}(this);
问题 4/5( http://10.1.20.137:8085/js/jquery.toaster.js -jquery.toaster.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 5450 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /*********************************************************************************** * Add Array.indexOf * ***********************************************************************************/ (function () { if (typeof Array.prototype.indexOf !== 'function') { Array.prototype.indexOf = function(searchElement, fromIndex) { for (var i = (fromIndex || 0), j = this.length; i < j; i += 1) { if ((searchElement === undefined) || (searchElement === null)) { if (this[i] === searchElement) { return i; } } else if (this[i] === searchElement) { return i; } } return -1; }; } })(); /**********************************************************************************/ (function ($,undefined) { var toasting = { gettoaster : function () { var toaster = $('#' + settings.toaster.id); if(toaster.length < 1) { toaster = $(settings.toaster.template).attr('id', settings.toaster.id).css(settings.toaster.css).addClass(settings.toaster['class']); if ((settings.stylesheet) && (!$("link[href=" + settings.stylesheet + "]").length)) { $('head').appendTo('<link rel="stylesheet" href="' + settings.stylesheet + '">'); } $(settings.toaster.container).append(toaster); } return toaster; }, notify : function (title, message, priority) { var $toaster = this.gettoaster(); var $toast = $(settings.toast.template.replace('%priority%', priority)).hide().css(settings.toast.css).addClass(settings.toast['class']); $('.title', $toast).css(settings.toast.csst).html(title); $('.message', $toast).css(settings.toast.cssm).html(message); if ((settings.debug) && (window.console)) { console.log(toast); } $toaster.append(settings.toast.display($toast)); if (settings.donotdismiss.indexOf(priority) === -1) { var timeout = (typeof settings.timeout === 'number') ? settings.timeout : ((typeof settings.timeout === 'object') && (priority in settings.timeout)) ? settings.timeout[priority] : 1500; setTimeout(function() { settings.toast.remove($toast, function() { $toast.remove(); }); }, timeout); } } }; var defaults = { 'toaster' : { 'id' : 'toaster', 'container' : 'body', 'template' : '<div></div>', 'class' : 'toaster', 'css' : { 'position' : 'fixed', 'top' : '10px', 'right' : '10px', 'width' : '300px', 'zIndex' : 50000 } }, 'toast' : { 'template' : '<div class="alert alert-%priority% alert-dismissible" role="alert">' + '<button type="button" class="close" data-dismiss="alert">' + '<span aria-hidden="true">×</span>' + '<span class="sr-only">Close</span>' + '</button>' + '<span class="title"></span>: <span class="message"></span>' + '</div>', 'css' : {}, 'cssm' : {}, 'csst' : { 'fontWeight' : 'bold' }, 'fade' : 'slow', 'display' : function ($toast) { return $toast.fadeIn(settings.toast.fade); }, 'remove' : function ($toast, callback) { return $toast.animate( { opacity : '0', padding : '0px', margin : '0px', height : '0px' }, { duration : settings.toast.fade, complete : callback } ); } ...
问题 5/5( http://10.1.20.137:8085/js/bootstrap.min.js -bootstrap.min.js )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://10.1.20.137:8085/tologin Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 Last-Modified: Thu, 01 Aug 2019 06:24:43 GMT Accept-Ranges: bytes Content-Length: 36816 Date: Fri, 11 Oct 2019 01:27:10 GMT Content-Type: application/javascript /*! * Bootstrap v3.3.5 (http://) * Copyright 2011-2015 Twitter, Inc. * Licensed under the MIT license */ if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(a){"use strict";var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher")}(jQuery),+function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=function(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){return a(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=new d(this)),"string"==typeof b&&e[b].call(c)})}var c='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.5",d.TRANSITION_DURATION=150,d.prototype.close=function(b){function c(){g.detach().trigger("closed.bs.alert").remove()}var e=a(this),f=e.attr("data-target");f||(f=e.attr("href"),f=f&&f.replace(/.*(?=#[^\s]*$)/,""));var g=a(f);b&&b.preventDefault(),g.length||(g=e.closest(".alert")),g.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(g.removeClass("in"),a.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",c).emulateTransitionEnd(d.TRANSITION_DURATION):c())};var e=a.fn.alert;a.fn.alert=b,a.fn.alert.Constructor=d,a.fn.alert.noConflict=function(){return a.fn.alert=e,this},a(document).on("click.bs.alert.data-api",c,d.prototype.close)}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.button"),f="object"==typeof b&&b;e||d.data("bs.button",e=new c(this,f)),"toggle"==b?e.toggle():b&&e.setState(b)})}var c=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.isLoading=!1};c.VERSION="3.3.5",c.DEFAULTS={loadingText:"loading..."},c.prototype.setState=function(b){var c="disabled",d=this.$element,e=d.is("input")?"val":"html",f=d.data();b+="Text",null==f.resetText&&d.data("resetText",d[e]()),setTimeout(a.proxy(function(){d[e](null==f[b]?this.options[b]:f[b]),"loadingText"==b?(this.isLoading=!0,d.addClass(c).attr(c,c)):this.isLoading&&(this.isLoading=!1,d.removeClass(c).removeAttr(c))},this),0)},c.prototype.toggle=function(){var a=!0,b=this.$element.closest('[data-toggle="buttons"]');if(b.length){var c=this.$element.find("input");"radio"==c.prop("type")?(c.prop("checked")&&(a=!1),b.find(".active").removeClass("active"),this.$element.addClass("active")):"checkbox"==c.prop("type")&&(c.prop("checked")!==this.$element.hasClass("active")&&(a=!1),this.$element.toggleClass("active")),c.prop("checked",this.$element.hasClass("active")),a&&c.trigger("change")}else this.$element.attr("aria-pressed",!this.$element.hasClass("active")),this.$element.toggleClass("active")};var d=a.fn.button;a.fn.button=b,a.fn.button.Constructor=c,a.fn.button.noConflict=function(){return a.fn.button=d,this},a(document).on("click.bs.button.data-api",'[data-toggle^="button"]',function(c){var d=a(c.target);d.hasClass("btn")||(d=d.closest(".btn")),b.call(d,"toggle"),a(c.target).is('input[type="radio"]')||a(c.target).is('input[type="checkbox"]')||c.preventDefault()}).on("focus.bs.button.data-api blur.bs.button.data-api",'[data-toggle^="button"]',function(b){a(b.target).closest(".btn").toggleClass("focus",/^focus(in)?$/.test(b.type))})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.carousel"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeof b&&b),g="string"==typeof b?b:f.slide;e||d.data("bs.carousel",e=new c(this,f)),"number"==typeof b?e.to(b):g?e[g]():f.interval&&e.pause().cycle()})}var c=function(b,c){this.$element=a(b),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=null,this.sliding=null,this.interval=null,this.$active=null,this.$items=null,this.options.keyboard&&this.$element.on("keydown.bs.caro...
咨询和修订建议“autocomplete”属性已在 HTML5 标准中进行规范。W3C 的站点声明该属性有两种状态:“on”和“off”,完全忽略时等同于设置为“on”。 该页面易受攻击,因为“input”元素的“password”字段中的“autocomplete”属性没有设置为“off”。 这可能会使未授权用户(具有授权客户机的本地访问权)能够自动填写用户名和密码字段,并因此登录站点。 可能会绕开 Web 应用程序的认证机制 自动填写未对密码字段禁用的 HTML 属性 自动填写未对密码字段禁用的 HTML 属性 Web 应用程序编程或配置不安全 不适用 受影响的 URL§ http://10.1.20.137:8085/tologin 问题 1/1( http://10.1.20.137:8085/tologin - tologin )严重性: LowCVSS 计分: 5图像
所有变体 变体差异变体原因 变体验证· <label for="login-password" class="sr-only">密码</label> <input type="password" id="login-password" class="form-control" placeholder="密码" required> <div class="checkbox"> <label class · <label for="regpassword" class="sr-only">密码</label> <input type="password" id="registerPassword" class="form-control" placeholder="密码" required> <label for="phone" class="sr-only">手机号</label> · px; margin-top: 5px;" id="verify_refresh" onclick="setButtonStatus(this)">获取验证码</button> <input type="password" id="register-password" class="form-control" placeholder="验证码" required > <button class="btn btn-lg btn-primary btn-block register" id="butre 变体请求响应 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 10.1.20.137:8085 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US HTTP/1.1 200 x-ua-compatible: IE=edge Transfer-Encoding: chunked cache-control: no-transform Content-Language: en-US Date: Fri, 11 Oct 2019 01:32:47 GMT Content-Type: text/html;charset=UTF-8 <!DOCTYPE html> <html lang="zh-CN"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta http-equiv="Cache-Control" content="no-transform"> <title>login</title> <link rel="shortcut icon" href="/Public/img/favicon.ico"/> <link href="/css/bootstrap.css" rel="stylesheet"> <link href="/css/main.css" rel="stylesheet" type="text/css" /> <link href="/css/index.css" rel="stylesheet" type="text/css" /> <link href="/css/detail.css" rel="stylesheet" type="text/css" /> <link href="/css/user.css" rel="stylesheet" type="text/css" /> <link href="/css/announcement.css" rel="stylesheet" type="text/css" /> <link href="/css/bootstrap-datetimepicker.min.css" rel="stylesheet" type="text/css" /> <link rel="stylesheet" href="/css/login.css" /> <script src="/js/html5shiv.min.js"></script> <script src="/js/respond.min.js"></script> <script src="/js/jquery.min.js"></script> <script> var rootUrl = ''; </script> <script type="text/javascript"> $(function(){ $("#but").click(function(){ $.ajax({ url:"/checkLogin", type:"post", dataType:"json", data:{ "admin":$("#username").val(), "password":$("#login-password").val(), }, success:function(data){ if(data.mess){ location.href="/tomain"; } else{ $("#f1").html("用户名或密码输入错误"); } }, error:function(data){ alert("请填写正确信息!!!"); } }); }); /* 注册 */ /* 先验证用户名是否存在*/ var flag; $("#regadmin").blur(function(){ $.ajax({ url:"/checkRegister", type:"post", dataType:"json", data:{ "admin":$("#regadmin").val(), }, success:function(data){ if(data.mess){ flag=data.mess; $("#f2").html("用户名已存在,请重新输入"); } }, error:function(data){ alert("请填写正确信息!!!"); } }) /* 获取焦点的时候 */ $("#regadmin").focus(function(){ $("#f2").html(""); }) /* 点击获取验证码的时候 */ var hash; var tamp; var wait=60; $("#verify_refresh").click(function(){ $.ajax({ dataType:"json", type:"post", url:"/sendMsg", data:{"telephone":$("#telephone").val()}, xhrFields: { withCredentials: true }, success: function (data) { hash = data.hash; tamp = data.tamp; }, error: function (data) { alert("请填写正确信息!!!"); } }); }) /* 设置时间 */ function setButtonStatus(that) { if (wait == 0) { that.removeAttribute("disabled"); that.value="免费获取验证码"; wait = 60; } else { that.setAttribute("disabled", true); that.value=wait+"秒后可以重新发送"; wait--; setTimeout(function() { setButtonStatus(that) }, 1000) } } /* 点击注册 */ $("#butregster").click(function(){ $.ajax({ dataType:"json", type:"post", url:"/validate", data:{ "msgNum":$("#register-password").val(),/* 验证码 */ "hash":hash, "tamp":tamp, "telphone":$("#telephone").val(), "admin":$("#regadmin").val(),/* 用户名 */ "password":$("#registerPassword").val()/* 密码 */ }, success: function (data) { if(data.flag){ location.href="/tologin"; }else{ alert("验证码错误或超时"); } }, error: function (data) { alert("请填写正确信息!!!"); } }); }) }) }) </script> </head> <body> <div class="home"> <header class="header"> <nav class="navbar navbar-default navbar-fixed-top"> <div class="container"> <div class="row"> <div class="hidden-xs hidden-sm col-md-3 col-lg-3"> <div class="navbar-header navbar-left"> <a class="navbar-brand-mc" href="/tomain"> <img src="/picture/milogo.png" alt="logo"/> <h4 class="company-name">钱多多金融</h4> </a> </div> </div> </div> </div> </nav> </header> <div class="content"> <div class="wrapper"> <div class="container"> <div class="row"> <div class="wrapper-intro col-xs-0 col-sm-6 col-md-8 col-lg-8"> <img src="/picture/milogo.png"/> <br/> ...
严重性为参考信息的“问题类型”测试策略名称: Default 描述: 该策略包含所有测试,但侵入式和端口侦听器测试除外。 测试( 104 ):
高优先级修复任务中优先级修复任务低优先级修复任务
如果“input”元素的“password”字段中缺失“autocomplete”属性,请进行添加并将其设置为“off“。 如果“autocomplete”属性设置为“on”,请将其更改为“off”。 例如:易受攻击站点: <form action="AppScan.html" method="get"> Username: <input type="text" name="firstname" /><br /> Password: <input type="password" name="lastname" /> <input type="submit" value="Submit" /> <form> 非易受攻击站点: <form action="AppScan.html" method="get"> Username: <input type="text" name="firstname" /><br /> Password: <input type="password" name="lastname" autocomplete="off"/> <input type="submit" value="Submit" /> <form> 要修订的变量
相关联的问题类型
将您的服务器配置为发送“Content-Security-Policy”头。对于Apache,请参阅: http://httpd./docs/2.2/mod/mod_headers.html 对于 IIS,请参阅: https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx 对于 nginx,请参阅: http:///en/docs/http/ngx_http_headers_module.html 要修订的变量
相关联的问题类型
将您的服务器配置为在所有传出请求上发送值为“nosniff”的“X-Content-Type-Options”头。对于Apache,请参阅: http://httpd./docs/2.2/mod/mod_headers.html 对于 IIS,请参阅: https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx 对于 nginx,请参阅: http:///en/docs/http/ngx_http_headers_module.html 要修订的变量
相关联的问题类型
将您的服务器配置为在所有传出请求上发送值为“1”(例如已启用)的“X-XSS-Protection”头。对于 Apache,请参阅: http://httpd./docs/2.2/mod/mod_headers.html 对于 IIS,请参阅: https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx 对于 nginx,请参阅: http:///en/docs/http/ngx_http_headers_module.html 要修订的变量
相关联的问题类型
将子资源完整性添加到源不在您的域中的每个脚本/链接。 W3C 子资源完整性: https://www./TR/SRI/ SRI 散列生成器: https:// 不支持 SRI 的样本脚本元素: <script src="https:///example-framework.js" crossorigin="anonymous"></script> 支持 SRI 的样本脚本元素: <script src="https:///example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script> 要修订的变量
相关联的问题类型
如果服务器不需要支持 WebDAV,请务必禁用它,或禁止不必要的 HTTP 方法(动词)。 要修订的变量
相关联的问题类型
参数
失败请求
注释
cookie
应用程序 URL§ http://10.1.20.137:8085/tologin § http://10.1.20.137:8085/js/html5shiv.min.js § http://10.1.20.137:8085/js/respond.min.js § http://10.1.20.137:8085/js/jquery.min.js § http://10.1.20.137:8085/js/footer.js § http://10.1.20.137:8085/js/header.js § http://10.1.20.137:8085/js/bootstrap.min.js § http://10.1.20.137:8085/js/jquery.toaster.js § http://10.1.20.137:8085/js/index.js § http://10.1.20.137:8085/tomain § http://10.1.20.137:8085/js/jquery-2.1.4/jquery.js |
|
|
